We were recently asked to help a business centre with a networking conundrum. They have six offices with six separate businesses working within them. The six offices all connected to one central switch, which in turn was connected to two wireless access points and a DrayTek router.
The issue the business centre had was around data protection and GDPR, as each business was able to see their neighbour’s computers. This meant:
- Businesses could potentially access each other’s customer data
- A virus within one business could spread throughout the network
- No bandwidth management could be used, so one office could use all of the network
- A third party could potentially hack one office and use this to exploit
- VoIP phones were segmented but the ports could only be used for phones, this left a lot of ports unused and unusable
- Separate businesses network traffic and make sure they can’t see each other’s data
- Implement Bandwidth restrictions as a fair usage policy
- Prioritise Voice traffic over other network communication
- Propose a solution that incurs minimal costs to the businesses
- Allow for remote management of the solution
Affirm IT proposed the use of VLANs to segment the network. These would be controlled using a “router on a stick” configuration. This would allow for all of the offices to be on their own private network without the need for any extra equipment.
The DrayTek router also serves as a security firewall to block inter-VLAN communication, meaning no office can see another offices traffic. This allows each office to have a virtual firewall, negating the need for them to purchase a router each.
The steps required for this work:
1) A formal plan and documentation, showing which ports would be assigned to which business and also planning the wireless access.
2) VLANs are assigned to ports, we assigned each office a number of ports based on requirements. We then set up “tagged” or “trunked” ports between the switch and the wireless access points as well as the switch and router, these tags allow for other network devices to understand where the traffic has come from and needs to go.
3) We set up the DrayTek router to hand out IP addresses to clients with different addresses for each office.
4) Quality Of Service was put onto the DrayTek to limit the amount of bandwidth each office could use (fair use policy) and also to prioritise voice traffic over normal data.
5) We configured firewall rules so that only the Affirm IT office can manage both the firewall and switch externally, additionally we set and documented secure passwords. These have been shared with the business centre.
I’ve also included a management port on the switch, this is to allow a computer with the correct IP address to communicate directly with the switch or router. Often this is not required as a physical console port is allowed.